

What is claimed is:

1        1. An apparatus comprising:

2            a configuration storage storing configuration settings to configure an access transaction  
3            generated by a processor having a normal execution mode and an isolated execution mode, the  
4            configuration settings including a plurality of subsystem memory range settings, the access  
5            transaction including access information; and

6            a multi-memory zone access checking circuit coupled to the configuration storage to  
7            check the access transaction using at least one of the configuration settings and the access  
8            information, the multi-memory zone access checking circuit generating an access grant signal if  
9            the access transaction is valid.

1        2. The apparatus of claim 1 wherein the access information includes a physical  
2        address.

1        3. The apparatus of claim 2 wherein the configuration storage further comprises a  
2        process control register storing an execution mode word, the execution mode word being  
3        asserted as an execution mode signal when the processor is configured in the isolated execution  
4        mode.

1        4. The apparatus of claim 3 wherein the configuration settings include a memory  
2        mask value, a memory base value, and a memory length value, a combination of at least two of  
3        the mask, base, and length values to define an isolated memory area in a memory external to the  
4        processor, the isolated memory area being accessible to the processor in the isolated execution  
5        mode.

1           5.     The apparatus of claim 3 wherein each subsystem memory range setting  
2     corresponds to a memory zone for a subsystem in an isolated memory area in a memory external  
3     to the processor.

1           6.     The apparatus of claim 5 wherein each subsystem memory range setting includes  
2     a subsystem memory mask value, a subsystem memory base value, and a subsystem memory  
3     length value, a combination of at least two of the subsystem mask, base, and length values to  
4     define a memory zone in the isolated memory area for the subsystem.

1           7.     The apparatus of claim 6 wherein an ID value for each subsystem identifies each  
2     subsystem and the subsystem's associated memory zone as defined by the subsystem memory  
3     range setting.

1           8.     The apparatus of claim 6 wherein the multi-memory zone access checking circuit  
2     comprises a subsystem address detector to detect if the physical address is within a currently  
3     active subsystem's associated memory zone as defined by the subsystem memory range setting  
4     for the subsystem, the subsystem address detector generating a subsystem address matching  
5     signal.

1           9.     The apparatus of claim 8 wherein the multi-memory zone access checking circuit  
2     further comprises an access grant generator coupled to the subsystem address detector and the  
3     processor control register, the access grant generator generating an access grant signal if both the  
4     subsystem address matching signal and the execution mode word signal are asserted.

1           10.    A method comprising:  
2              configuring an access transaction generated by a processor having a normal execution  
3     mode and an isolated execution mode using a configuration storage storing configuration

4 settings, the configuration settings including a plurality of subsystem memory range settings, the  
5 access transaction including access information;

6 checking the access transaction by a multi-memory zone access checking circuit using at  
7 least one of the configuration settings and the access information; and

8 generating an access grant signal if the access transaction is valid.

1 11. The method of claim 10 wherein the access information includes a physical  
2 address.

1 12. The method of claim 11 wherein the configuration storage comprises a process  
2 control register storing an execution mode word, the execution mode word being asserted as an  
3 execution mode signal when the processor is configured in the isolated execution mode.

1 13. The method of claim 12 wherein the configuration settings include a memory  
2 mask value, a memory base value, and a memory length value, a combination of at least two of  
3 the mask, base, and length values to define an isolated memory area in a memory external to the  
4 processor, the isolated memory area being accessible to the processor in the isolated execution  
5 mode.

1 14. The method of claim 12 wherein each subsystem memory range setting  
2 corresponds to a memory zone for a subsystem in an isolated memory area in a memory external  
3 to the processor.

4 15. The method of claim 14 wherein each subsystem memory range setting includes a  
5 subsystem memory mask value, a subsystem memory base value, and a subsystem memory  
6 length value, a combination of at least two of the subsystem mask, base, and length values to  
7 define a memory zone in the isolated memory area for the subsystem.

1        16.    The method of claim 15 wherein configuring the access transaction further  
2    comprises storing an ID value for each subsystem to identify each subsystem and the  
3    subsystem's associated memory zone as defined by the subsystem memory range setting.

1        17.    The method of claim 15 wherein checking the access transaction comprises  
2    detecting if the physical address is within a currently active subsystem's associated memory zone  
3    as defined by the subsystem memory range setting for the subsystem by a subsystem address  
4    detector, the subsystem address detector generating a subsystem address matching signal.

1        18.    The method of claim 17 wherein generating an access grant signal if the access  
2    transaction is valid comprises generating an access grant signal by an access grant generator if  
3    both the subsystem address matching signal and the execution mode word signal are asserted.

1        19.    A computer program product comprising:

2            a machine readable medium having computer program code therein, the computer  
3    program product comprising:

4            computer readable program code for configuring an access transaction generated by a  
5    processor having a normal execution mode and an isolated execution mode using a configuration  
6    storage storing configuration settings, the configuration settings including a plurality of  
7    subsystem memory range settings, the access transaction including access information;

8            computer readable program code for checking the access transaction by a multi-memory  
9    zone access checking circuit using at least one of the configuration settings and the access  
10   information; and

11            computer readable program code for generating an access grant signal if the access  
12   transaction is valid.

1           20. The computer program product of claim 19 wherein the access information  
2 includes a physical address.

1           21. The computer program product of claim 20 wherein the configuration storage  
2 comprises a process control register storing an execution mode word, the execution mode word  
3 being asserted as an execution mode signal when the processor is configured in the isolated  
4 execution mode.

1           22. The computer program product of claim 21 wherein the configuration settings  
2 include a memory mask value, a memory base value, and a memory length value, a combination  
3 of at least two of the mask, base, and length values to define an isolated memory area in a  
4 memory external to the processor, the isolated memory area being accessible to the processor in  
5 the isolated execution mode.

1           23. The computer program product of claim 21 wherein each subsystem memory  
2 range setting corresponds to a memory zone initiated for a subsystem in an isolated memory area  
3 in a memory external to the processor.

1           24. The computer program product of claim 23 wherein each subsystem memory  
2 range setting includes a subsystem memory mask value, a subsystem memory base value, and a  
3 subsystem memory length value, a combination of at least two of the subsystem mask, base, and  
4 length values to define a memory zone in the isolated memory area for the subsystem.

1           25. The computer program product of claim 24 wherein the computer readable  
2 program code for configuring the access transaction further comprises computer readable  
3 program code for storing an ID value for each subsystem to identify each subsystem and the  
4 subsystem's associated memory zone as defined by the subsystem memory range setting.

1           26. The computer program product of claim 24 wherein the computer readable  
2 program code for checking the access transaction comprises computer readable program code for  
3 detecting if the physical address is within a currently initialized subsystem's associated memory  
4 zone as defined by the subsystem memory range setting for the subsystem by a subsystem  
5 address detector, the subsystem address detector generating a subsystem address matching  
6 signal.

1           27. The computer program product of claim 26 wherein the computer readable  
2 program code for generating an access grant signal if the access transaction is valid comprises  
3 computer readable program code for generating an access grant signal by an access grant  
4 generator if both the subsystem address matching signal and the execution mode word signal are  
5 asserted.

1           28. A system comprising:

2           a chipset;

3           a memory coupled to the chipset having an isolated memory area;

4           a processor coupled to the chipset and the memory having an access manager, the  
5 processor having a normal execution mode and an isolate execution mode, the processor  
6 generating an access transaction having access information, the access manager comprising:

7           a configuration storage storing configuration settings to configure an access transaction  
8 generated by the processor, the configuration settings including a plurality of subsystem memory  
9 range settings; and

10           a multi-memory zone access checking circuit coupled to the configuration storage to  
11 check the access transaction using at least one of the configuration settings and the access

12 information, the multi-memory zone access checking circuit generating an access grant signal if  
13 the access transaction is valid.

1 29. The system of claim 28 wherein the access information includes a physical  
2 address.

1 30. The system of claim 29 wherein the configuration storage further comprises a  
2 process control register storing an execution mode word, the execution mode word being  
3 asserted as an execution mode signal when the processor is configured in the isolated execution  
4 mode.

1 31. The system of claim 30 wherein the configuration settings include a memory  
2 mask value, a memory base value, and a memory length value, a combination of at least two of  
3 the mask, base, and length values to define an isolated memory area in a memory external to the  
4 processor, the isolated memory area being accessible to the processor in the isolated execution  
5 mode.

1 32. The system of claim 30 wherein each subsystem memory range setting  
2 corresponds to a memory zone for a subsystem in an isolated memory area in a memory external  
3 to the processor.

1 33. The system of claim 32 wherein each subsystem memory range setting includes a  
2 subsystem memory mask value, a subsystem memory base value, and a subsystem memory  
3 length value, a combination of at least two of the subsystem mask, base, and length values to  
4 define a the memory zone in the isolated memory area for the subsystem.

1 34. The system of claim 33 wherein an ID value for each subsystem to identifies each  
2 subsystem and the subsystem's associated memory zone as defined by the subsystem memory  
3 range setting.

1           35. The system of claim 33 wherein the multi-memory zone access checking circuit  
2   comprises a subsystem address detector to detect if the physical address is within a currently  
3   active subsystem's associated memory zone as defined by the subsystem memory range setting  
4   for the subsystem, the subsystem address detector generating a subsystem address matching  
5   signal.

1           36. The system of claim 35 wherein the multi-memory zone access checking circuit  
2   further comprises an access grant generator coupled to the subsystem address detector and the  
3   processor control register, the access grant generator generating an access grant signal if both the  
4   subsystem address matching signal and the execution mode word signal are asserted.